How do I secure my computers on the IPV6 network

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
unknown26
DD-WRT Novice


Joined: 28 May 2012
Posts: 12

PostPosted: Mon May 28, 2012 17:31    Post subject: How do I secure my computers on the IPV6 network Reply with quote
I have setup tunnelbroker etc. I have IPV6 running fine. But now I just want to secure my whole network up. I don't really want to have a hard out firewall on every computer in the house so is there something I could use to prevent ipv6 from the outside talking to my computers
Sponsor
RMerlin
DD-WRT User


Joined: 05 Mar 2012
Posts: 273

PostPosted: Mon May 28, 2012 17:40    Post subject: Reply with quote
You'll have to manually configure a firewall, using ip6tables.

As a starting point, check the IPv6 guide on my website (http://www.lostrealm.ca/tower/node/81). While targeted at the Asus RT-N66U, I was originally using those rules on an E2000 running DD-WRT. Replace v6in4 with whatever interface DD-WRT uses for the tunnel (I can't remember what it was).
unknown26
DD-WRT Novice


Joined: 28 May 2012
Posts: 12

PostPosted: Mon May 28, 2012 17:45    Post subject: Reply with quote
I'm running a E2000. Okay so if I set the iptables up for firewall how do i revert back to normal state.

I want to open up a few ipv6 and ipv4 ip's for servers. But I want to block everything except for those IP's on specific ports.
RMerlin
DD-WRT User


Joined: 05 Mar 2012
Posts: 273

PostPosted: Mon May 28, 2012 17:57    Post subject: Reply with quote
unknown26 wrote:
I'm running a E2000. Okay so if I set the iptables up how do i remove them if I want to later


iptables entries have to be manually re-entered every time you reboot. Put your rules in the firewall script that can be edited on DD-WRT's web interface. That way they will get re-applied every reboot. Just removing those entries from the firewall script and rebooting will bring you back to the default values.

Note that you will need some basic iptables knowledge to be able to implement it. If you have never played with iptables before you might want to look for an already pre-configured set of rules specifically made for DD-WRT instead, as my example isn't directly usable anymore under DD-WRT.
unknown26
DD-WRT Novice


Joined: 28 May 2012
Posts: 12

PostPosted: Mon May 28, 2012 18:03    Post subject: Reply with quote
could i run iptables commands at startup by using the DD-WRT startup command field?

So I dont have to manually enter them?
RMerlin
DD-WRT User


Joined: 05 Mar 2012
Posts: 273

PostPosted: Mon May 28, 2012 18:11    Post subject: Reply with quote
unknown26 wrote:
could i run iptables commands at startup by using the DD-WRT startup command field?

So I dont have to manually enter them?


There's a firewall script in DD-WRT. Enter your content, and click on Save Firewall when on the web interface.
unknown26
DD-WRT Novice


Joined: 28 May 2012
Posts: 12

PostPosted: Fri Jun 08, 2012 10:03    Post subject: IP Tables firewall Reply with quote
Is there any good tutorials for building dd-wrt firewall with IP Tables. I don't want to override any other previous settings.

All I want to do is block computers from accessing my computers ports. I want to close all computer ports on ipv6 address on network by default. But then rules to specify which ports should open to specific pc.

Could someone link me to some stuff that might teach me thanks
unknown26
DD-WRT Novice


Joined: 28 May 2012
Posts: 12

PostPosted: Fri Jun 08, 2012 13:29    Post subject: Reply with quote
Does the E2000 firmware have the ability for ip6tables natively?
Pandora-Box
DD-WRT User


Joined: 09 Mar 2008
Posts: 218
Location: USA

PostPosted: Fri Jun 08, 2012 15:13    Post subject: Reply with quote
Hi unknown26,
I would suggest you to check this extensive and very helpful post:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=82532&postdays=0&postorder=asc&highlight=ipv62+++111mipselkernelmodules&start=0
I have followed it and got ip6tables running.
Additionally, you might check another, pretty nice firewall utility, FWBuilder,
http://www.fwbuilder.org/
and http://www.dd-wrt.com/wiki/index.php/Firewall_Builder
It supports IPv6, GUI, and dd-wrt. Their web site has even examples for simple IPv6 firewall rules.
You have to be careful regarding kernel version your router is running.
There are also virtual appliances that support IPv6 firewalls. Ubuntu has also pretty simple but nice gufw, GUI, firewall you might check.
Good luck.
P-B

_________________
Netgear R7000
unknown26
DD-WRT Novice


Joined: 28 May 2012
Posts: 12

PostPosted: Sat Jun 09, 2012 18:52    Post subject: Reply with quote
Okay so I have followed through. I'm using a Linksys E2000.

So I have to install IPv6 modules etc. My process below

1) GUI: Services/Services
enable SSHd

2) GUI: Administration/Management
-enable ipv6
-enable jffs and first time users need to enable clean to format it for mounting

3) ssh to router then created the directory to place the modules
Code:
mkdir -p /jffs/lib/modules/2.6.24.111/


4) download & extract LazyTom's precompiled 2.6.24.111 ip6tables kernel modules for brcm47xx routers and get those .ko files into the /jffs/lib/modules/2.6.24.111/ directory. How it's done is up to individual tastes; I chose to download to my desktop, then extract and then do an SCP from the desktop:
Code:

Copied the module files "ip6_tables.ko, ip6table_filter, nf_conntrack_ipv6.ko" to /jffs/lib/modules/2.6.24.111 directory via SCP.

Are these modules only required or do I need to add some additional ones?

6) Back on the router, I downloaded and installed the iptables program from the 8.02 open-wrt brcm47xx compiled packages




Which of these do I need

ip6tables-utils_1.4.0-1_mipsel.ipk
ip6tables_1.4.0-1_mipsel.ipk
kmod-ip6tables_2.6.25.20-brcm47xx-1_mipsel.ipk


I ran the following....
Code:
ipkg -force-depends install http://downloads.openwrt.org/kamikaze/8.09.2/brcm4
7xx/packages/ip6tables_1.4.0-1_mipsel.ipk

ipkg -force-depends install http://downloads.openwrt.org/kamikaze/8.09.2/brcm4
7xx/packages/ip6tables_1.4.0-1_mipsel.ipk


--Log below---
Code:
root@Linksys:~# ipkg -force-depends install http://downloads.openwrt.org/kamikaze/8.09.2/brcm4
7xx/packages/kmod-ip6tables_2.6.25.20-brcm47xx-1_mipsel.ipk
Downloading http://downloads.openwrt.org/kamikaze/8.09.2/brcm47xx/packages/kmod-ip6tables_2.6.25.20-brcm47xx-1_mipsel.ipk ...
Connecting to downloads.openwrt.org (78.24.191.177:80)
Done.
ERROR: File not found: /jffs/usr/lib/ipkg/lists/whiterussian
       You probably want to run `ipkg update'
ERROR: File not found: /jffs/usr/lib/ipkg/lists/non-free
       You probably want to run `ipkg update'
ERROR: File not found: /jffs/usr/lib/ipkg/lists/backports
       You probably want to run `ipkg update'
Unpacking kmod-ip6tables...Done.
Configuring kmod-ip6tables.../jffs/usr/lib/ipkg/info/kmod-ip6tables.postinst: .: line 3: can't open /etc/functions.sh


root@Linksys:~# ipkg -force-depends install http://downloads.openwrt.org/kamikaze/8.09.2/brcm4
7xx/packages/ip6tables_1.4.0-1_mipsel.ipk
Downloading http://downloads.openwrt.org/kamikaze/8.09.2/brcm47xx/packages/ip6tables_1.4.0-1_mipsel.ipk ...
Connecting to downloads.openwrt.org (78.24.191.177:80)
Done.
ERROR: File not found: /jffs/usr/lib/ipkg/lists/whiterussian
       You probably want to run `ipkg update'
ERROR: File not found: /jffs/usr/lib/ipkg/lists/non-free
       You probably want to run `ipkg update'
ERROR: File not found: /jffs/usr/lib/ipkg/lists/backports
       You probably want to run `ipkg update'
Unpacking ip6tables...ipkg_install_file: ERROR unpacking data.tar.gz from /jffs/tmp/ipkg/ip6tables_1.4.0-1_mipsel.ipk
root@Linksys:~#


7) Added the following above tunnelbroker start-up script
Code:
insmod /jffs/lib/modules/2.6.24.111/ip6_tables.ko
insmod /jffs/lib/modules/2.6.24.111/ip6table_filter.ko
insmod /jffs/lib/modules/2.6.24.111/nf_conntrack_ipv6.ko


Cool Entered in ip6table commands in Administration>Commands>Command Shell Box then clicked save firewall

ip6tables script I used below...

Code:

# flush tables
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD

# set default policy
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP

# Prevent being a rh0 (routing header type 0) host (DROP before we could accept these buggy ones)
ip6tables -I INPUT -m rt --rt-type 0 -j DROP
ip6tables -I OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -I FORWARD -m rt --rt-type 0 -j DROP

# Allow traffic on loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow traffic from local host to the IPv6-tunnel
ip6tables -A OUTPUT -o tun6rd -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i tun6rd -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow traffic from local network to local host
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT

# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -A FORWARD -i br0 -s 2001::/16 -j ACCEPT
ip6tables -A FORWARD -i tun6rd -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -A INPUT -p icmpv6 -j AllowICMPs
ip6tables -A FORWARD -p icmpv6 -j AllowICMPs


9) Rebooted the router and then ran these testing procedures
Tried the following test

Code:
http://test-ipv6.com/
http://ipv6-test.com/
http://ipv6test.google.com/


Those were unable to see that I have ipv6 so the security is pretty high however to make sure that I actually have ipv6 working I tried a proper test. See below log of pinging Facebook and Google site over IPv6.


Code:
Pinging facebook.com [2a03:2880:10:1f02:face:b00c:0:25] with 32 bytes of data:
Reply from 2a03:2880:10:1f02:face:b00c:0:25: time=229ms
Reply from 2a03:2880:10:1f02:face:b00c:0:25: time=228ms
Reply from 2a03:2880:10:1f02:face:b00c:0:25: time=227ms
Reply from 2a03:2880:10:1f02:face:b00c:0:25: time=228ms

Ping statistics for 2a03:2880:10:1f02:face:b00c:0:25:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 227ms, Maximum = 229ms, Average = 228ms


Pinging google.com [2404:6800:4006:804::1003] with 32 bytes of data:
Reply from 2404:6800:4006:804::1003: time=421ms
Reply from 2404:6800:4006:804::1003: time=419ms
Reply from 2404:6800:4006:804::1003: time=420ms
Reply from 2404:6800:4006:804::1003: time=421ms

Ping statistics for 2404:6800:4006:804::1003:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 419ms, Maximum = 421ms, Average = 420ms


I also tested the ip6tables script is working by changing the script to the following...
Code:
# flush tables
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD

# set default policy
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD ACCEPT

# Allow traffic on loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow traffic from local host to the IPv6-tunnel
ip6tables -A OUTPUT -o tun6rd -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i tun6rd -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow traffic from local network to local host
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT

# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -A FORWARD -i br0 -s 2001::/16 -j ACCEPT
ip6tables -A FORWARD -i tun6rd -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -A INPUT -p icmpv6 -j AllowICMPs
ip6tables -A FORWARD -p icmpv6 -j AllowICMPs


This allowed me to test and verify that IPv6 address is working over the internet and that ip6tables is working correctly.

I tested with the IPv6 test sites again and now they work since I changed the ip6table script to allow the test sites to communicate with my PC.
Code:
http://test-ipv6.com/
http://ipv6-test.com/
http://ipv6test.google.com/


Additional Information

I'm using this template for tunneling IPv6 (www.tunnelbroker.net)
http://www.dd-wrt.com/wiki/index.php/IPv6_setup_Hurricane_Electric_Tunnel_Broker

---Added the following above the tunnel broker script---

Code:
insmod /jffs/lib/modules/2.6.24.111/ip6_tables.ko
insmod /jffs/lib/modules/2.6.24.111/ip6table_filter.ko
insmod /jffs/lib/modules/2.6.24.111/nf_conntrack_ipv6.ko


Could someone please let me know if this is all working correctly and tell me why I'm getting those errors when installing those packages over the command. And were my testing methods correct.
Thank you.

I hope I have helped others in the process my logging and documenting the things I did.

Whats next... Well now its opening specific ports for servers and having all other incoming communication blocked


Could someone please write me a ip6table script that will work with online ipv6 test but also block my computers from random incoming connections
unknown26
DD-WRT Novice


Joined: 28 May 2012
Posts: 12

PostPosted: Mon Jul 02, 2012 21:06    Post subject: My final script seems perfect Reply with quote
Here is my final ip6tables script (Note this is for Hurricane Electric Tunnelbroker

Code:

# Allows you to access port forwards to internal computers with ipv4 WAN IP
iptables -t nat -I POSTROUTING -o br0 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE

# flush tables
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD

# Default rule DROP for all chains
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

# Prevent being a rh0 (routing header type 0) host (DROP before we could accept these buggy ones)
ip6tables -I INPUT -m rt --rt-type 0 -j DROP
ip6tables -I OUTPUT -m rt --rt-type 0 -j DROP
ip6tables -I FORWARD -m rt --rt-type 0 -j DROP

# Allow traffic on loopback interface
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow traffic from local host to the IPv6-tunnel
ip6tables -A OUTPUT -o he-ipv6 -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i he-ipv6 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -o tun6to4 -s 2001::/16 -j ACCEPT
ip6tables -A INPUT -i tun6to4 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow traffic from local network to local host
ip6tables -A OUTPUT -o br0 -j ACCEPT
ip6tables -A INPUT -i br0 -j ACCEPT

# Allow traffic from local network to tunnel (IPv6 world)
ip6tables -A FORWARD -i br0 -s 2001::/16 -j ACCEPT
ip6tables -A FORWARD -i he-ipv6 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i tun6to4 -d 2001::/16 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
ip6tables -N AllowICMPs
# Destination unreachable
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
ip6tables -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
ip6tables -A INPUT -p icmpv6 -j AllowICMPs
ip6tables -A FORWARD -p icmpv6 -j AllowICMPs

#Allow Specific Port on all ipv6 devices in network
#ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT
#ip6tables -A FORWARD -p tcp --dport 21 -j ACCEPT

#Allow Specific Port on specific ipv6 address in network
ip6tables -A FORWARD -p tcp -d 1111:222:3333:555:6666:7777:8888:9999 --dport 21 -j ACCEPT


This script will provide protection and block all traffic from having direct access to your devices. However devices from outside network will be able to ping as this script has icmpv6 enabled.

1111:222:3333:555:6666:7777:8888:9999 - (This number being the ipv6 address of the computer)
--dport 21 - (21 Being the number of port to open)

Yes its all finished and complete
mtcstle
DD-WRT Novice


Joined: 25 Jul 2012
Posts: 3

PostPosted: Sat Jul 28, 2012 20:44    Post subject: Were to find a dd-wrt with kernel 2.6? Reply with quote
I've been studying on this for several days. The latest useable dd-wrt I can find is dd-wrt.v24-15230_VINT_std-nokaid_nohotspot_nostor. It has kernel 2.4.35 yet you seem to be using kernel 2.6 modules. Where can I find more recent versions? I've got an old WRT54GS with 8megs of flash, I want to use the std-nokaid_nohotspot_nostor because it leaves me some room in /jffs. My whole reason for any ot this is to set up an IVv6 network through Hurricane Electric. So you see, I need the IPv6 modules and a kernel that matches them.

All advice greatfully accepted.

mtcstle
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2026
Location: Sol System > Earth > USA > Arkansas

PostPosted: Sun Jul 29, 2012 17:05    Post subject: Re: Were to find a dd-wrt with kernel 2.6? Reply with quote
mtcstle wrote:
I've been studying on this for several days. The latest useable dd-wrt I can find is dd-wrt.v24-15230_VINT_std-nokaid_nohotspot_nostor. It has kernel 2.4.35 yet you seem to be using kernel 2.6 modules. Where can I find more recent versions? I've got an old WRT54GS with 8megs of flash, I want to use the std-nokaid_nohotspot_nostor because it leaves me some room in /jffs. My whole reason for any ot this is to set up an IVv6 network through Hurricane Electric. So you see, I need the IPv6 modules and a kernel that matches them.

All advice greatfully accepted.

mtcstle

You need to check the "Peacock" thread (see my signature) that is listed in this section of the forum in the "Announcements".

_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
mtcstle
DD-WRT Novice


Joined: 25 Jul 2012
Posts: 3

PostPosted: Mon Jul 30, 2012 2:15    Post subject: Choice of versions for WRT54Gs, VINT, generic, or K26 Reply with quote
Thanks for your reply. It seems that newer K62 firmware might brick this old router but older ones might not. What is newer and what is older, is not clear. To be safe, I'll probably stay with the 2.4 based v24-sp2 (08/12/10) std-nokaid (SVN revision 14929) bin I've got. But did I not read that K42 firmwares had limited iptables filtering capability? It took two days to find the K42 modules.

regards
mtcstle
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum